Although you can use the
state parameter to send data that will be returned to your client application when you receive the authentication response, you need to also use it as a way to mitigate against CSRF against your redirection endpoint. You can read more about the importance of doing this at: OAuth2 - The State Parameter
In addition, even when you use this parameter correctly to prevent CSRF and also to include data (like your URL) you need to take in consideration that it’s the responsibility of your client application to interpret that additional data. Some libraries perform automatic state validation from the perspective of CSRF mitigation, but if you then have custom behavior attached to a particular value received in the state parameter then you need to do this in your own client application.
Your question did not include any code associated with how it’s trying to react to this and perform an additional redirect based on state parameter so I’m assuming you were expecting this to happen automatically. If that’s the case, that is not true and you should handle that custom behavior in your own logic.